gcube-app file updated

5 years ago · 0f156c6637
parent 0508aa0e3a
commit 0f156c6637
7 changed files with 67 additions and 53 deletions
--- a/.settings/org.eclipse.wst.common.component
+++ b/.settings/org.eclipse.wst.common.component
@ -7,7 +7,7 @@
        <dependent-module archiveName="authorization-control-library-1.1.0-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/authorization-control-library/authorization-control-library">
            <dependency-type>uses</dependency-type>
        </dependent-module>
-        <dependent-module archiveName="storagehub-model-1.0.5.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model">
+        <dependent-module archiveName="storagehub-model-1.0.5-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model">
            <dependency-type>uses</dependency-type>
        </dependent-module>
        <property name="context-root" value="storagehub"/>
--- a/distro/gcube-app.xml
+++ b/distro/gcube-app.xml
@ -1,7 +1,7 @@
 <application mode='online'>
 		<name>StorageHub</name>
 		<group>DataAccess</group>
-		<version>1.0.0-SNAPSHOT</version>
+		<version>${version}</version>
 		<description>Storage Hub webapp</description>
 		<local-persistence location='target' />
 </application>
--- a/pom.xml
+++ b/pom.xml
@ -12,7 +12,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.gcube.data.access</groupId>
 	<artifactId>storagehub</artifactId>
-	<version>1.0.8</version>
+	<version>1.0.8-SNAPSHOT</version>
 	<name>storagehub</name>

 	<scm>
--- a/src/main/java/org/gcube/data/access/storagehub/services/ACLManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/ACLManager.java
@ -143,19 +143,19 @@ public class ACLManager {
 		InnerMethodName.instance.set("setACLById");
 		Session ses = null;
 		try{
-			
+
 			ses = repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
-			
+
 			Node node = ses.getNodeByIdentifier(id);

 			Item item = node2Item.getItem(node, Excludes.ALL);
-			
+
 			if (!(item instanceof SharedFolder))
 				throw new InvalidItemException("the item is not a shared folder");
-			
+
 			if (item.getOwner().equals(user))
 				throw new UserNotAuthorizedException("owner acl cannot be changed");
-			
+
 			authChecker.checkAdministratorControl(ses, (SharedFolder) item);

 			SharedFolder folder = ((SharedFolder)item);
@ -234,14 +234,14 @@ public class ACLManager {
 	 * 
 	 * 
 	 * @param String user
-	 * @param accessType accessType
+	 * 
 	 * 
 	 * @exception {@link RepositoryException} when a generic jcr error occurs
 	 * @exception {@link UserNotAuthorizedException} when the caller is not ADMINISTRATOR of the shared folder
 	 * @exception {@link InvalidCallParameters} when the folder is not shared with the specified user
 	 * @exception {@link InvalidItemException} when the folder is not share
 	 */
-	/*@DELETE
+	@DELETE
 	@Consumes(MediaType.TEXT_PLAIN)
 	@Path("{id}/acls/{user}")
 	public void removeACL(@PathParam("user") String user) {
@ -261,28 +261,26 @@ public class ACLManager {

 			SharedFolder folder = ((SharedFolder)item);

-			if (folder.isVreFolder()) {
-				AccessControlManager acm = ses.getAccessControlManager();
-				JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
+			AccessControlManager acm = ses.getAccessControlManager();
+			JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());


-				AccessControlEntry entryToDelete= null;
-				for (AccessControlEntry ace :acls.getAccessControlEntries()) {
-					if (ace.getPrincipal().getName().equals(user)) {
-						entryToDelete = ace;
-						break;
-					}
-
+			AccessControlEntry entryToDelete= null;
+			for (AccessControlEntry ace :acls.getAccessControlEntries()) {
+				if (ace.getPrincipal().getName().equals(user)) {
+					entryToDelete = ace;
+					break;
 				}
-				if (entryToDelete!=null)
-					acls.removeAccessControlEntry(entryToDelete);
-				else return; 
-				
-				acm.setPolicy(folder.getPath(), acls);
-				ses.save();
-				log.debug("removed Access control entry for user {}",user);

-			} else throw new InvalidCallParameters("remove acl can be called only on VRE folder");
+			}
+			if (entryToDelete!=null)
+				acls.removeAccessControlEntry(entryToDelete);
+			else return; 
+
+			acm.setPolicy(folder.getPath(), acls);
+			ses.save();
+			log.debug("removed Access control entry for user {}",user);
+

 		}catch(RepositoryException re){
 			log.error("jcr error extracting archive", re);
@ -294,7 +292,7 @@ public class ACLManager {
 			if (ses!=null)
 				ses.logout();
 		}
-	}*/
+	}

 	@GET
 	@Path("{id}/acls/write")
--- a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
@ -56,6 +56,7 @@ public class GroupManager {
 	@Context ServletContext context;

 	private static final String VREMANAGER_ROLE = "VRE-Manager";
+	private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
 	
 	private static final Logger log = LoggerFactory.getLogger(GroupManager.class);

@ -100,7 +101,7 @@ public class GroupManager {
 	@POST
 	@Path("")
 	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
 	public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){
 		
 		InnerMethodName.instance.set("createGroup");
@ -109,7 +110,8 @@ public class GroupManager {
 		String groupId = null;
 		try {
 			
-			checkGroupValidity(group);
+			if (!isValidGroupForContext(groupId))
+				throw new UserNotAuthorizedException("only VREManager can execute this operation");
 			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
 						
@ -134,7 +136,7 @@ public class GroupManager {

 	@DELETE
 	@Path("{group}")
-	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
 	public String deleteGroup(@PathParam("group") String group){
 		
 		InnerMethodName.instance.set("deleteGroup");
@ -142,7 +144,9 @@ public class GroupManager {
 		JackrabbitSession session = null;
 		try {
 			
-			checkGroupValidity(group);
+			if (!isValidGroupForContext(group))
+				throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
+			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));

 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@ -163,14 +167,17 @@ public class GroupManager {
 			if (session!=null)
 				session.logout();
 		}
-
 		return group;
 	}

+	
+	public boolean isAdmin() { return AuthorizationProvider.instance.get().getClient().getRoles().contains(INFRASTRUCTURE_MANAGER_ROLE); }
+
+		
 	@PUT
 	@Path("{id}")
 	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
 	public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){
 		
 		InnerMethodName.instance.set("addUserToGroup");
@ -179,7 +186,8 @@ public class GroupManager {
 		boolean success = false;
 		try {
 			
-			checkGroupValidity(groupId);
+			if (!isValidGroupForContext(groupId) && !isAdmin())
+				throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
 			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));

@ -214,7 +222,7 @@ public class GroupManager {

 	@DELETE
 	@Path("{groupId}/users/{userId}")
-	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
 	public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){
 		
 		InnerMethodName.instance.set("removeUserFromGroup");
@ -223,7 +231,8 @@ public class GroupManager {
 		boolean success = false;
 		try {
 			
-			checkGroupValidity(groupId);
+			if (!isValidGroupForContext(groupId) && !isAdmin())
+				throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
 			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));

@ -274,7 +283,8 @@ public class GroupManager {
 		List<String> users = new ArrayList<>();
 		try {
 			
-			checkGroupValidity(groupId);
+			if (!isValidGroupForContext(groupId))
+				throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");	
 			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));

@ -350,12 +360,10 @@ public class GroupManager {
 		return vreFolder;
 	}

-	private void checkGroupValidity(String group) throws UserNotAuthorizedException{
+	private boolean isValidGroupForContext(String group){
 		String currentContext = ScopeProvider.instance.get();
 		String expectedGroupId= currentContext.replace("/", "-").substring(1);
-		if (!group.equals(expectedGroupId)) 
-			throw new UserNotAuthorizedException("only VREManager can execute this operation");	
-
+		return group.equals(expectedGroupId);
 	}
 	
 }
--- a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
@ -28,8 +28,10 @@ import org.apache.jackrabbit.api.security.user.QueryBuilder;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
 import org.gcube.common.authorization.control.annotations.AuthorizationControl;
+import org.gcube.common.authorization.library.provider.AuthorizationProvider;
 import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
 import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
+import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
 import org.gcube.common.storagehub.model.types.NodeProperty;
 import org.gcube.data.access.storagehub.Constants;
 import org.gcube.data.access.storagehub.Utils;
@ -42,6 +44,8 @@ import org.slf4j.LoggerFactory;
@Path("users")
 public class UserManager {

+	private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
+	
 	@Context ServletContext context;
 	
 	private static final Logger log = LoggerFactory.getLogger(UserManager.class);
@ -88,14 +92,15 @@ public class UserManager {
 	@POST
 	@Path("")
 	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-	@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
 	public String createUser(@FormParam("user") String user, @FormParam("password") String password){

 		JackrabbitSession session = null;
 		String userId = null;
 		try {
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
-
+			
+						
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();

 			User createdUser = usrManager.createUser(user, password);
@ -125,18 +130,21 @@ public class UserManager {


 	@DELETE
-	@Path("{id}")
-	@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
-	public String deleteUser(@PathParam("id") String id){
+	@Path("{user}")
+	@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
+	public String deleteUser(@PathParam("user") String user){

+		
+		
 		JackrabbitSession session = null;
 		String userId = null;
 		try {
+			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));

 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();

-			org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(id);
+			org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(user);


 			String sql2Query = String.format("SELECT * FROM [nthl:workspaceSharedItem] AS node WHERE ISDESCENDANTNODE('%s')", path.toPath());
@ -152,12 +160,12 @@ public class UserManager {
 				Node rNode = nodeIt.nextNode();
 				String title = rNode.hasProperty(NodeProperty.TITLE.toString()) ? rNode.getProperty(NodeProperty.TITLE.toString()).getString():"unknown";
 				log.debug("removing sharing for folder name {} with title {} and path {} ",rNode.getName(), title, rNode.getPath());
-				unshareHandler.unshare(session, Collections.singleton(id), rNode, id);
+				unshareHandler.unshare(session, Collections.singleton(user), rNode, user);
 			}

-			Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(id));
+			Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(user));
 			if (!authorizable.isGroup()) {
-				log.info("removing user {}", id);
+				log.info("removing user {}", user);
 				authorizable.remove();
 			}
 			session.save();
--- a/src/main/webapp/WEB-INF/gcube-app.xml
+++ b/src/main/webapp/WEB-INF/gcube-app.xml
@ -1,7 +1,7 @@
 <application mode='online'>
 		<name>StorageHub</name>
 		<group>DataAccess</group>
-		<version>1.0.0-SNAPSHOT</version>
+		<version>1.0.8-SNAPSHOT</version>
 		<description>Storage Hub webapp</description>
 		<local-persistence location='target' />
 </application>